shellsnoop - snoop live shell activity. Uses DTrace. shellsnoop [-hqsv] [-p PID] [-u UID] A program to print read/write details from shells, such as keystrokes and command outputs. This program sounds somewhat dangerous (snooping keystrokes), but is no more so than /usr/bin/truss, and both need root or dtrace privileges to run. In fact, less dangerous, as we only print visible text (not password text, for example). Having said that, it goes without saying that this program shouldn't be used for breeching privacy of other users. This was written as a tool to demonstrate the capabilities of DTrace. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris stable - this script uses the syscall provider.

-q quiet, only print data

-s include start time, us

-v include start time, string

-p PID PID to snoop

-u UID user ID to snoop

Default output, # shellsnoop

human readable timestamps, # shellsnoop -v

watch this PID only, # shellsnoop -p 1892

watch this PID data only, # shellsnoop -qp 1892

UID user ID

PID process ID

PPID parent process ID

COMM command name

DIR direction (R read, W write)

TEXT text contained in the read/write

TIME timestamp for the command, us

STRTIME timestamp for the command, string

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. shellsnoop will run forever until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] dtrace(1M)